Don't want to use Root Hints but DO want to use selective forwarding "Alan Sandal" <alan.sandal[ at ]yahoo.co.uk> 10/14/2008 2:39:02 PM Someone MUST have seen this before. I have several domains hosted on my Windows 2003 infrastructure and several domains listed for conditional forwarding. Name resolution for the authoritative domains and those specifically forwarded are working just fine. All Internet connectivity is via a proxy server in a DMZ and we have no requirement to allow workstations to resolve external DNS entries themselves - therefore there's no DNS connectivity from our internal DNS servers to the Internet. The problem comes when a machine queries for an address which isn't in either the hosted domains or in a domain for which a forwarder is specified e.g. www.microsoft.com. The internal servers can't resolve this, they have no forwarder specified to which they can forward it. The of course try to contact a root hints server. Now this is the problem - the timeout for this is several seconds and causes all machines making invalid queries to stop and wait for a timeout. In an ideal world (or at least an ideal network) there would be no incorrect queries but I've got lots of them and can't tackle the problem 'properly' by resolving the underlying problem. What I'd like to do is minimise the problem by sending a DNS failure msg immediately. I know: 1. If I add a root domain to my servers I get an immediate DNS failure (good) but forwarding is disabled and I have several conditional forwarders. 2. If I disable recursion for the server I get an immediate DNS failure (good) but forwarding is disabled and I have several conditional forwarders. 3. If I disable recursion for 'all other domains' the setting doesn't seem to have any effect on my servers' habit of querying root hints. 4. If I remove all root hints from my cache files and AD I get an immediate DNS failure (good) but this isn't supported by Microsoft and I _need_ this to be squeaky clean. I've currently got just one root hint specified but this is a lousy solution as all it does is reduces the timeout to a few seconds rather than a hundredth of a second. Does anyone know how to stop root hints being queried when every other method of resolution has failed (bearing in mind 'Do Not Use Recursion for this domain' is already checked for 'All other domains' and doesn't have any effect)? Thanks Alan

Re: Don't want to use Root Hints but DO want to use selective forwarding Andrew Hodgson <me3[ at ]privacy.net> 10/18/2008 7:56:21 PM On Tue, 14 Oct 2008 15:39:02 +0100, "Alan Sandal" <alan.sandal[ at ]yahoo.co.uk> wrote: [Quoted Text] >Someone MUST have seen this before. > >I have several domains hosted on my Windows 2003 infrastructure and several >domains listed for conditional forwarding. Name resolution for the >authoritative domains and those specifically forwarded are working just >fine. > >All Internet connectivity is via a proxy server in a DMZ and we have no >requirement to allow workstations to resolve external DNS entries >themselves - therefore there's no DNS connectivity from our internal DNS >servers to the Internet. > > >The problem comes when a machine queries for an address which isn't in >either the hosted domains or in a domain for which a forwarder is specified >e.g. www.microsoft.com. The internal servers can't resolve this, they have >no forwarder specified to which they can forward it. > > >The of course try to contact a root hints server. Now this is the problem - >the timeout for this is several seconds and causes all machines making >invalid queries to stop and wait for a timeout. In an ideal world (or at >least an ideal network) there would be no incorrect queries but I've got >lots of them and can't tackle the problem 'properly' by resolving the >underlying problem. What I'd like to do is minimise the problem by sending a >DNS failure msg immediately. I know: > >1. If I add a root domain to my servers I get an immediate DNS failure >(good) but forwarding is disabled and I have several conditional forwarders. > >2. If I disable recursion for the server I get an immediate DNS failure >(good) but forwarding is disabled and I have several conditional forwarders. This is what we did in this situation, but instead of using conditional forwarders, we used stub zones which were AD integrated, which created the necessary NS and A glue records for everything to work fine. Andrew.

Re: Don't want to use Root Hints but DO want to use selective forwarding "Alan Sandal" <alan.sandal[ at ]yahoo.co.uk> 10/21/2008 9:06:28 AM Unfortunately not an option for us as for misc security reasons we can't permit our workstations to directly query the DNS server we currently forward to but thanks for the suggestion. Regards Allan "Andrew Hodgson" <me3[ at ]privacy.net> wrote in message news:onfkf4lfh011abeakunu1n0f0is75726oo[ at ]news.giganews.com... [Quoted Text] > On Tue, 14 Oct 2008 15:39:02 +0100, "Alan Sandal" > <alan.sandal[ at ]yahoo.co.uk> wrote: > >>Someone MUST have seen this before. >> >>I have several domains hosted on my Windows 2003 infrastructure and >>several >>domains listed for conditional forwarding. Name resolution for the >>authoritative domains and those specifically forwarded are working just >>fine. >> >>All Internet connectivity is via a proxy server in a DMZ and we have no >>requirement to allow workstations to resolve external DNS entries >>themselves - therefore there's no DNS connectivity from our internal DNS >>servers to the Internet. >> >> >>The problem comes when a machine queries for an address which isn't in >>either the hosted domains or in a domain for which a forwarder is >>specified >>e.g. www.microsoft.com. The internal servers can't resolve this, they have >>no forwarder specified to which they can forward it. >> >> >>The of course try to contact a root hints server. Now this is the >>problem - >>the timeout for this is several seconds and causes all machines making >>invalid queries to stop and wait for a timeout. In an ideal world (or at >>least an ideal network) there would be no incorrect queries but I've got >>lots of them and can't tackle the problem 'properly' by resolving the >>underlying problem. What I'd like to do is minimise the problem by sending >>a >>DNS failure msg immediately. I know: >> >>1. If I add a root domain to my servers I get an immediate DNS failure >>(good) but forwarding is disabled and I have several conditional >>forwarders. >> >>2. If I disable recursion for the server I get an immediate DNS failure >>(good) but forwarding is disabled and I have several conditional >>forwarders. > > This is what we did in this situation, but instead of using > conditional forwarders, we used stub zones which were AD integrated, > which created the necessary NS and A glue records for everything to > work fine. > > Andrew.